Graphistry Iframe Blocked in Louie#
Diagnose and fix “This content is blocked. Contact the site owner to fix the issue.” (or blank/looping iframe) when a Louie thread renders a Graphistry graph.
When this applies#
Louie and Graphistry are deployed on different origins (different hostnames, or different subdomains with different cookie scopes), even if they sit behind the same proxy or on the same box. Cross-origin embedding depends on cookie policy and CSP alignment — not on X-Frame-Options alone.
If Louie and Graphistry are served from the exact same origin, this runbook does not apply.
Three-way host alignment#
For cross-origin iframes to authenticate and render, three hosts must be the same value:
Louie’s
OA2_HOST(the Graphistry OAuth2 host Louie redirects users to)The Graphistry browser-facing host that serves the iframe
The host listed in Louie Caddy’s CSP
frame-srcandchild-src
A mismatch between any pair causes the iframe to be blocked by the browser or to loop on auth.
Required settings#
Louie side (CSP and OA2_HOST)#
In Louie’s Caddy config, the Graphistry host must appear in both frame-src and child-src:
Content-Security-Policy "... frame-src 'self' https://your.graphistry-server.xyz; child-src 'self' https://your.graphistry-server.xyz; ..."
In Louie’s $LOUIE_HOME/data/custom.env:
OA2_HOST='https://your.graphistry-server.xyz'
The hostname in OA2_HOST must exactly match the CSP entries above and the host actually serving Graphistry to the browser.
Diagnosis checklist#
Run these in order. Stop at the first mismatch.
Confirm origins differ. If Louie and Graphistry share a single origin, this page is not your problem.
Inspect the browser console on the failing page. “Refused to frame … because it violates CSP
frame-src/child-src” points to the Louie CSP. A cookie warning aboutSameSitepoints to Graphistry cookie flags.Check Graphistry cookies on the Graphistry host (DevTools → Application → Cookies). Require
SameSite=None; Secureon session cookies. If wrong, fix on the Graphistry side per the Graphistry Admin Guide → TLS hardening.Check Louie’s CSP response header (DevTools → Network → the Louie HTML response). Confirm
frame-srcandchild-srcboth include the Graphistry host literally.Compare hostnames.
OA2_HOSTin$LOUIE_HOME/data/custom.envshould be byte-identical to the Graphistry host in CSP and to the host the browser actually loads Graphistry from (follow redirects).
Fix#
Apply the missing piece from the checklist above, then restart the affected service.
For Graphistry-side cookie changes, restart the Graphistry stack per the Graphistry Admin Guide → TLS hardening.
For Louie-side CSP or OA2_HOST changes:
cd $LOUIE_HOME
./dc up -d --force-recreate caddy louie api
Reload the Louie page in a fresh browser context (clear the Graphistry cookies first if you changed cookie flags).